How do I get started with Cozzy?

Download the app from your app store and create your free account in under 2 minutes. Then securely link your bank accounts via Open Banking to see all your finances in one place.

Is my financial data secure with Cozzy?

Yes, Cozzy uses bank-level encryption and is GDPR compliant. We connect to your bank via Open Banking, which means we never see your login credentials. Your data stays yours.

How does Cozzy help me save money?

Set savings goals for anything — a holiday, emergency fund, or that next big purchase. Cozzy tracks your progress automatically and provides AI-powered insights to help you spend mindfully and save consistently.

Is Cozzy free to use?

Yes, Cozzy is free to download and use. You can track spending, set budgets, create savings goals, and get AI-powered financial insights at no cost.

What is the AI Coach in Cozzy?

Cozzy's AI Coach lets you ask questions about your finances in plain English. It gives you personalised spending summaries, budget checks, and actionable tips based on your actual transaction data.

Which banks does Cozzy support?

Cozzy connects to your bank via Open Banking, supporting major banks across the UK and Europe. Your login credentials are never shared with Cozzy — the connection is handled securely by regulated Open Banking providers.

← Back to Home

Cozzy Privacy Policy

Name: Cozzy
Author: Cozzy

Version 7 · Effective 6 March 2026

Privacy Policy

Last Updated: March 1, 2026

Cozzy ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and share your personal data when you use our mobile application Cozzy (the "App").

We operate in accordance with the General Data Protection Regulation (GDPR), the ePrivacy Directive, the EU Artificial Intelligence Act, and Irish data protection laws as enforced by the Data Protection Commission (DPC).

---

1. Not Financial Advice

Cozzy is an educational and informational tool. We are not providing financial, investment, tax, legal, or other professional advice. Any insights, categorisations, projections, or content shown in the App are for general information only and should not be relied upon as a substitute for advice from a qualified professional.

---

2. Age Requirements

Cozzy is intended for users aged 16 and over.

If you are under 16 years of age, you are not permitted to use the App and must not create an account or provide any personal data to us.

By creating an account, you confirm that you are at least 16 years old. If we become aware that we have collected personal data from a user under 16 without appropriate legal basis, we will take steps to delete that information promptly.

If you are aged 16 or 17, we encourage you to review this Privacy Policy with a parent or guardian to ensure you understand how your data is used.

We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us at privacy@cozzy.app so we can delete it.

---

3. Who We Are (Data Controller)

For the purpose of the GDPR, the Data Controller is:

Name: Cozzy
Address: Dublin, Ireland
Email: support@cozzy.io

---

4. Data We Collect

We collect the following types of information:

A. Information You Provide

Account Information: When you sign in via email, Google, or Apple, we collect your name and email address to create your account. If you sign in via Google or Apple, we may also collect your profile picture.
Customer Support: Any information you provide when you contact us for help.

B. Financial Data (via Open Banking)

To provide account aggregation and financial insights, we use an authorised Open Banking provider. When you connect a bank account, you explicitly consent to the provider accessing your data.

Data Processed: Account numbers, balances, transaction history, and account holder names.
Storage: We store this data securely on our backend (Supabase) to display it to you.
Note: We do not see or store your bank login credentials (PINs/passwords). These are handled directly by the Open Banking provider and your bank.

C. Device & Usage Data

Identifiers: Device ID and IP address.
Usage Data: How you use the app, crash logs, and performance data.

---

5. Legal Basis for Processing

We process your data under the following legal bases:

Consent: For connecting bank accounts (Open Banking), analytics cookies, and AI-powered features (see Section 10).
Contract: To provide the App's core features and manage your subscription.
Strictly Necessary Exemption (ePrivacy): Essential cookies that are strictly necessary for the App to function are exempt from consent requirements under Regulation 5(5) of S.I. No. 336/2011 (Ireland) and Regulation 6(4) of PECR (UK).
Legal Obligation: To comply with financial or tax regulations.
Legitimate Interest: To maintain security audit logs for fraud prevention and system integrity (GDPR Art. 6(1)(f)).

---

6. Third-Party Services (Data Processors)

We share data with trusted third-party providers to operate the App.

Service Provider	Purpose	Data Shared
Open Banking Provider	Open Banking Connectivity	Financial data, user consent tokens. The provider acts as an independent Controller for the connection.
Supabase	Backend Database & Auth	User ID, email, encrypted app data.
Google Firebase	Analytics & Crashlytics	Device ID, crash logs, usage statistics (only with your consent).
Google Cloud (Vertex AI)	AI-powered features (Olivia assistant, transaction categorisation)	Sanitised transaction descriptions, aggregated financial summaries. Sensitive data such as account numbers, IBANs, and personal identifiers are removed before processing (see Section 10). All AI processing occurs within the EU (europe-west4 region, Netherlands).
RevenueCat	Subscription Management	Purchase history, User ID (to sync subscriptions).
Sentry	Error Monitoring & Crash Analytics	Pseudonymised error logs, device info, app state. User IDs are hashed; emails, IP addresses, and personally identifiable data are stripped before transmission.

---

7. International Data Transfers

Some of our partners (e.g., Supabase, RevenueCat) may process data in the United States. We ensure these transfers are protected using Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework.

AI processing data residency: All AI-powered features (Olivia and transaction categorisation) are processed exclusively within the European Union via Google Cloud's europe-west4 region (Netherlands). Your financial data sent to AI models does not leave the EU.

---

8. Data Retention & Deletion

We retain your personal data for defined periods based on the purpose of processing and our legal obligations:

Data Category	Retention Period	Justification
Account information	Duration of account + 30 days	Contract performance (GDPR Art. 6(1)(b))
Financial / transaction data	Duration of account + 6 years	Legitimate interest in defending potential legal claims: Statute of Limitations Act 1957 s.11 (Ireland); Limitation Act 1980 s.5 (UK)
AI insights (Olivia responses)	Duration of account or until AI consent withdrawn	Consent (GDPR Art. 6(1)(a)); deleted immediately upon consent withdrawal
AI categorisation audit logs	90 days	Legitimate interest in service quality and debugging (GDPR Art. 6(1)(f))
AI interaction audit logs	90 days	Legitimate interest in security auditing and abuse prevention (GDPR Art. 6(1)(f))
AI security event logs	365 days	Legitimate interest in fraud prevention and incident investigation (GDPR Art. 6(1)(f))
Analytics data	14 months	Firebase Analytics default; data minimisation (GDPR Art. 5(1)(e))
Crash logs	90 days	Firebase Crashlytics default; data minimisation
Cookie consent records	6 months (then renewal)	DPC guidance on consent renewal cycles
Support correspondence	2 years from resolution	Customer service quality and dispute resolution

Deletion: You can delete your account and all associated data immediately by going to Settings > Delete Account in the App.
Effect of Deletion: Upon request, we delete your data from Supabase, revoke bank access tokens, anonymise audit logs, and delete all AI-generated insights and history.
AI Consent Withdrawal: When you disable AI features in Settings, we immediately delete your AI insight history and cached AI responses. Anonymised audit logs are retained for the periods stated above for security purposes.

Data Breach Notification: In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you without undue delay in accordance with GDPR Article 34.

---

9. Your Rights

Under the GDPR, you have the right to:

Access the personal data we hold about you (Article 15).
Correct inaccurate data (Article 16).
Request deletion of your data ("Right to be Forgotten") (Article 17).
Request restriction of processing (Article 18).
Request portability of your data (Article 20).
Object to processing based on legitimate interests (Article 21).
Withdraw consent at any time.
Lodge a complaint with a supervisory authority (Article 77) — see Section 12 for contact details.

To exercise these rights, please contact us at support@cozzy.io.

---

10. Automated Decision-Making, Profiling, and AI

10.1 Overview

Cozzy uses artificial intelligence to provide two optional features:

1. Transaction Categorisation — automatically assigns spending categories to your bank transactions.

2. Olivia AI Assistant — provides personalised financial insights, answers questions about your spending, and generates smart alerts.

Both features are powered by Google Gemini (a large language model) running on Google Cloud Vertex AI within the EU (europe-west4 region, Netherlands).

10.2 No Automated Decisions with Legal Effect

These AI features are advisory and informational only. No automated process within Cozzy:

Restricts your access to features or services.
Blocks actions or functionality.
Makes credit, eligibility, or financial decisions on your behalf.
Produces legal effects or similarly significant effects on you.

All feature access is determined solely by your subscription tier. You can override any AI-generated categorisation at any time by manually selecting a different category.

10.3 What Data Is Processed by AI

Before your data is sent to the AI model, we apply comprehensive sanitisation to protect your privacy:

Removed before AI processing: Account numbers, IBANs, sort codes, email addresses, phone numbers, personal names, card numbers, and transaction reference numbers.
Special-category data protection (GDPR Article 9): We detect and exclude transaction descriptions that may reveal health information (e.g. medical providers), religious affiliation, political opinions, or trade union membership. These transactions are never sent to AI.
What is sent: Sanitised merchant names, generalised transaction descriptions (capped at 80 characters), and aggregated financial summaries (e.g. total spending by category, income amounts). No raw bank data is sent.

10.4 Your Control Over AI Features

AI features in Cozzy require your explicit consent before activation. You are in full control:

AI Insights (Olivia): You are prompted to enable or disable AI insights when you first use the App. You can change this at any time in Settings > Preferences > AI Features > AI Insights.
AI Transaction Categorisation: You can enable or disable AI categorisation separately in Settings > Preferences > AI Features > AI Transaction Categorisation.
When AI is disabled: The App continues to work normally. Transactions remain uncategorised (you can categorise them manually), and Olivia's data-driven insights that do not use AI remain available.
Consent withdrawal effect: When you disable AI features, we immediately delete your stored AI insight history and cached responses. Anonymised audit logs are retained for the periods stated in Section 8.

10.5 EU AI Act Transparency (Article 50)

In compliance with the EU Artificial Intelligence Act, we disclose that:

Olivia is an AI system that generates natural-language financial insights. Content produced by Olivia is clearly labelled as "AI-powered by Gemini" within the App.
Individual transactions that were categorised by AI display an "AI" indicator, distinguishing them from manually categorised or rule-based results.
Olivia's outputs are generated by a large language model and may occasionally contain inaccuracies. You should verify important financial information against your official bank statements.
You have the right to request human review of any automated output by contacting us at privacy@cozzy.app.

---

11. Cookie Policy

This section explains how Cozzy uses cookies and similar technologies in compliance with the ePrivacy Directive and Irish Data Protection Commission (DPC) guidelines.

11.1 What Are Cookies and Similar Technologies?

Cookies are small text files stored on your device. In the context of mobile apps like Cozzy, we use "cookies and similar technologies" to refer to:

Mobile SDKs that store identifiers on your device
Local Storage (SharedPreferences, UserDefaults) for app preferences
Device Identifiers used for analytics

11.2 Types of Cookies We Use

We categorize our cookies and similar technologies into two types:

#### Essential Cookies (Always Active)

These are necessary for the App to function and cannot be disabled.

Technology	Purpose	Data Stored	Retention
Authentication Tokens	Keep you signed in securely	Encrypted session token	Until logout
User Preferences	Remember your display settings	Currency, theme, notification preferences	Until account deletion or app data cleared
Cookie Consent	Remember your privacy choices	Consent status and date	6 months
Offline Cache	Allow app to work offline	Encrypted financial data	Until cleared

#### Analytics Cookies (Require Your Consent)

These help us understand how you use Cozzy so we can improve it.

Technology	Provider	Purpose	Data Collected	Retention
Firebase Analytics	Google LLC	Usage analytics	Pseudonymized usage patterns, screen views, feature engagement	14 months
Firebase Crashlytics	Google LLC	Crash reporting	Crash logs, device info, app state at crash	90 days

Important: Analytics data is:

Pseudonymized and aggregated for statistical purposes
Never sold to third parties
Shared only with Google under strict data processing agreements

11.3 Managing Your Cookie Preferences

You have full control over non-essential cookies:

#### When You First Open Cozzy

You will see a cookie consent popup with two options:

Accept All - Enable analytics cookies to help us improve the app
Essential Only - Use only essential cookies required for the app to function

#### Changing Your Preferences Later

You can change your cookie preferences at any time:

1. Go to Settings > Privacy > Cookie Preferences

2. Toggle analytics cookies on or off

3. Your changes take effect immediately

#### Consent Renewal

Following Irish DPC guidance, we will ask you to review your cookie preferences every 6 months to ensure your choices remain up to date.

11.4 What Happens If You Reject Cookies?

If you choose "Essential Only" or disable analytics cookies:

The App will work normally - All core features remain available
Your data stays private - No analytics data is collected
We cannot improve based on your usage - We will not know which features you find useful

11.5 Third-Party Cookies

Some of our partners may set their own cookies when you interact with their services:

Partner	When Used	Their Privacy Policy
Google	Analytics, Crashlytics	Google Privacy Policy
Open Banking Provider	Bank account connection	Available on request
RevenueCat	Subscription management	RevenueCat Privacy Policy

We encourage you to review these policies to understand how they handle your data.

11.6 Do Not Track

While mobile apps do not support the "Do Not Track" browser signal, we respect your choices through:

Our in-app cookie consent mechanism
Apple's App Tracking Transparency (ATT) framework on iOS

11.7 Updates to This Cookie Policy

We may update this Cookie Policy to reflect changes in our practices or legal requirements. If we make significant changes, we will notify you through the App and request your consent again where required.

---

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Email: privacy@cozzy.app
Support: support@cozzy.io
Address: Dublin, Ireland

You also have the right to lodge a complaint with the Irish Data Protection Commission:

Website: dataprotection.ie
Email: info@dataprotection.ie

If you are based in the United Kingdom, you may also contact the Information Commissioner's Office (ICO):

Website: ico.org.uk
Helpline: 0303 123 1113